Google fixed a flaw in its beta desktop search tool that could have given hackers access to users'
local searches, officials said Monday.

The vulnerability, discovered and reported by three members of Rice
University's computer science department, proved it was possible for a
malware writer to grab information from a Web page
containing any desktop searches performed by a user infected with a
JavaScript- or applet-based program.

According to the paper "Attacks on Local Searching Tools" by
Dan Wallach, Seth Nielson and Seth Fogarty, Google's desktop
search program creates a local Web server but only allows the user to get at
the data through localhost or 127.0.0.1 connections.

Given Google's Web-centric nature, a desktop search also simultaneously
conducts a Web search on Google's site, returning the query and appending it
to the desktop search.

The researchers were able to determine that the
integration of the desktop and Web searches was conducted by some agent
running locally, based on any HTTP request made to the Google
Web server. From there, it was a matter of finding a method to prompt a Web
search, which would then automatically include the local search.

"While an attacker would not be
able to read the victim's files directly, the search results often contain
snippets of the file results that will be visible to the attacker."

Those snippets, they state, can contain sensitive information, such as a list of
passwords to Web sites.

"Because the Google Desktop application bases its decision to integrate
strictly on network traffic, all that is required for an eavesdropper to
obtain an integrated Web page is to open a socket on the target computer and
send an HTTP request to Google.com, either directly or through any server
configured as a Web proxy server," the research paper notes. "This is well
within the capabilities of a Java applet, even when running with the
restrictive 'sandbox' security model."

To work, the JavaScript or applet must either be downloaded from a Web site
containing the malware applet or sent as an e-mail attachment, with the
owner subsequently opening the file.

According to a Google spokesperson, the vulnerability was fixed and the
company started "pushing" the update to users' computers last week. Like
Windows Update, Google Desktop Search users can automatically have updates
to their programs downloaded and installed onto their computers.

"We were made aware of this vulnerability with the Google Desktop Search
software and have since fixed the problem so that all current and future
users are secure," the Google spokesperson said in a statement.

This is the second reported Google Desktop Search flaw since the company released
its beta product back in October. A month after the tool was released for
general availability, VPN Central and Meta Group analysts reported on a flaw
in the program allowing remote users with administrative rights,
connected via a virtual private network (VPN ), to index
information on any hard drives attached to the machine, such as departmental
servers.

Google officials wouldn't say which method they used, but the report
indicates the search company went with an internal frame (or IFRAME)
approach to remove the vulnerability. The fix involves inserting local
searches into an IFRAME separate from the main search results page, giving
the local information a different "source" than the Web page.

Google is facing increasing competition from rival software vendors to
provide a robust desktop search component. While there have been desktop
search tools for some time, the interest of companies like Google, Microsoft
, AOL , Ask Jeeves ,
Amazon and Yahoo in the area of
desktop search has created a lot of industry buzz.